[ovs-dev] [RFC PATCH v2 06/10] vxlanipsec: Add userspace support for vxlan ipsec.

Stokes, Ian ian.stokes at intel.com
Wed Nov 1 17:01:42 UTC 2017 

> On Fri, Aug 25, 2017 at 05:40:28PM +0100, Ian Stokes wrote:
> > This patch introduces a new tunnel port type 'vxlanipsec'. This port
> > combines vxlan tunnelling with IPsec operating in transport mode.
> >
> > Ciphering and authentication actions ares provided by a DPDK cryptodev.
> > The cryptodev operates as a vdev and is associated with the vxlan
> > tunnel port. Upon tunnel encapsulation packets are encrypted and a
> > hash digest attached to the packet as per RFC4303. Upon decapsulation
> > a packet is first verified via the hash and then decrypted.
> >
> > The cipher algorithm used is 128 AES-CBC and the authentication
> > algorithm is HMAC-SHA1-96. Note this work is in progress and is not
> > meant for upstream. It's purpose is to solicit feedback on the
> > approach and known issues flagged in the accompanying cover letter to
> the patch series.
> >
> > Signed-off-by: Ian Stokes <ian.stokes at intel.com>
> 
> Thanks a lot for working on this feature!
> 
> When I compile without dpdk enabled, I now get:
> 
>     ../lib/netdev-vport.c:31:10: fatal error: 'rte_config.h' file not
> found
>     ../lib/netdev-native-tnl.c:35:10: fatal error: 'rte_config.h' file not
> found "sparse" complains:
> 
> ../lib/netdev-vport.h:40:22: warning: symbol 'spi_map' was not declared.
> Should it be static?

Hi Ben, thanks for looking at this, I flagged that compilation fails without DPDK enabled in the cover letter (I know, a big no no, I didn't expect this code to be upstreamed in its current form so I thought flagging it as known in the cover and keeping it as RFC would be ok. 

For the purpose of this RFC my aim was to give people something to functionally test with, and hopefully gather opinions on issues such as the acinclude build steps, dependency on external libraries etc. as well as the overall design.

Any feedback you have as regards design or changes is more than welcome as I expect a few more RFC revisions before nailing something concrete down.

Ian
> 
> There is obviously a lot of code here to review, but I have not started on
> that yet.

More information about the dev mailing list